Security goals in a computing system include confidentiality, integrity, and availability. These goals are promoted by implementing administrative, technical, and physical security controls which attempt to detect, prevent, contain, or mitigate unauthorized access to secured items and to allow authorized access to secured items. Secured items may be, e.g., data, services, or physical items.
Computing system administrators at governmental agencies, institutions, and commercial enterprises often follow a “principle of least privilege” by giving each user only the security privileges that the user needs to do her or his assigned job. When a user changes job roles, a privilege review helps prevent the user from retaining privileges they no longer need; this reduces “privilege creep”. In particular, it is prudent to promptly disable or remove all privileges when a user is terminated from employment.
In many computing systems, secured items are accessed by a given user through a user account that is established for the user by an authorized administrator of the computing system. Controlled access to an item often undergoes security phases such as identification, authentication, authorization, auditing, and accountability. Identification of the user with respect to an account is performed with a username, email address, user number, or other user identifier. Authentication of the asserted identity is performed using one or more factors such as something the user knows (e.g., a password), something the user has (e.g., a keycard), and something the user is (e.g., biometric such as an iris scan or fingerprint). Authorization may implement a discretionary control, e.g., an access control list managed per-item by the user, or a mandatory control such as a user clearance level, need-to-know, and item classification. Access activities may be audited by inspecting usage logs, and by automated tools such as intrusion detection systems. Accountability can be imposed by enforcing technical, administrative, or legal consequences for unauthorized access activities, including actual or attempted unauthorized access to secured items.